We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.
To see this for yourself, fire up Safari and go to this demo page.
- When the page loads, type in a fake email address and a fake password. Don’t use your real info.
- Click the link at the bottom of the page.
- Safari will offer to save your password for that site. Click Save.
The demo will then jump to a sniffer page which contains an invisible login form. Safari will helpfully populate the form, and this new demo page will display the sniffed results.
This approach is only possible when a third party has script access to the first-party domain. Thus, our third-party script is only able to recover the credentials you saved for this website (senglehardt.com). It is not possible for us to access credentials for other websites.
So far, your data is visible to a script running on a site with that script installed. The problem is with scripts that run on multiple sites:
We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to one or more third-party servers. These scripts were present on 1110 of the Alexa top 1 million sites. The process of detecting these scripts is described in our measurement methodology in the Appendix 1. We provide a brief analysis of each script in the sections below.
Bottom line, the scripts are saving hashed (encrypted) versions of surreptitiously harvested login info and comparing it to a saved database of other hashed results. If it finds a match, it knows who you are.
This is all a bit complicated, but my 2 cents, Apple should address this in some way to prevent this form of cross-site tracking.